Azure Defender for container registries

thumbnail image 1 captioned Figure 1 - Enable Azure Defender for Container Registries

Kubernetes clusters

Continuous assessment of your clusters to provide visibility into misconfigurations and guidelines to help you mitigate identified threats. Learn more about environment hardening through security recommendations.

Threat protection for clusters and Linux nodes. Alerts for suspicious activities are provided by Azure Defender for Kubernetes. This Azure Defender plan defends your Kubernetes clusters whether they’re hosted in Azure Kubernetes Service (AKS), on-premises, or on other cloud providers. clusters.
Learn more about run-time protection for Kubernetes nodes and clusters.

Container hosts (VM’s running Docker)

Continuous assessment of your Docker environments to provide visibility into misconfigurations and guidelines to help you mitigate threats identified by the optional Azure Defender for servers.
Learn more about environment hardening through security recommendations.

Azure Container Registry (ACR) registries

Vulnerability assessment and management tools for the images in your Azure Resource Manager-based ACR registries with the optional Azure Defender for container registries.
Learn more about scanning your container images for vulnerabilities.

What are containers?

So first to understand that what is a container. Containers are Serverless environments that run code in a isolated from other components.

With Docker you have the host and Docker installed on top of it. The host can be anything

All the the containers run their own thing and not knowing about the guy next door.

Two picture tells it all, the difference between Docker and traditional virtualization.

And if you want to deploy an image to Docker instance and make it fault-tolerant, you would need to deploy it to every single of the Docker containers. This is where Kubernetes comes to play.


Kubernetes (also known as k8s or “kube”) is an open source container orchestration platform that automates many of the manual processes involved in deploying, managing, and scaling containerized applications.

  • Service discovery and load balancing Kubernetes can expose a container using the DNS name or using their own IP address. If traffic to a container is high, Kubernetes is able to load balance and distribute the network traffic so that the deployment is stable.
  • Storage orchestration Kubernetes allows you to automatically mount a storage system of your choice, such as local storages, public cloud providers, and more.
  • Automated rollouts and rollbacks You can describe the desired state for your deployed containers using Kubernetes, and it can change the actual state to the desired state at a controlled rate. For example, you can automate Kubernetes to create new containers for your deployment, remove existing containers and adopt all their resources to the new container.
  • Automatic bin packing You provide Kubernetes with a cluster of nodes that it can use to run containerized tasks. You tell Kubernetes how much CPU and memory (RAM) each container needs. Kubernetes can fit containers onto your nodes to make the best use of your resources.
  • Self-healing Kubernetes restarts containers that fail, replaces containers, kills containers that don’t respond to your user-defined health check, and doesn’t advertise them to clients until they are ready to serve.
  • Secret and configuration management Kubernetes lets you store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys. You can deploy and update secrets and application configuration without rebuilding your container images, and without exposing secrets in your stack configuration

So with Kubernetes you can automate the orchestration of the Docker images. All docker images are inside pool that are their own unit.

Components of Kubernetes

Azure Kubernetes Service

Back in 2017 Microsoft release AKS (Azure Kubernetes Service)

Azure Container Registry is a private registry service for building, storing, and managing container images and related artifacts. In this quickstart, you create an Azure container registry instance with the Azure portal. Then, use Docker commands to push a container image into the registry, and finally pull and run the image from your registry

So with AKS developer can keep images for container in the registry and put them to pipelines that do the compliance check and then push to image to the clusters that have example docker in them.

And for this reason there is Defender for container registries, to protect the images from any harm.

Defender for container registries

Here is nice picture that will tell what will happen when you enable the protection and thus the monitoring.

High-level architecture of the interaction between Azure Security Center, Azure Kubernetes Service, and Azure Policy

And there is also an Defender for Kubernetes instead of only registries, really depends on your configuration and needs.

And with this one you can go even further with Azure ARC and on-premises deployments of Kubernetes.

Defender for Kubernetes is currently in Public Preview so it’s free and you shouldn’t be using it in production, but it’s a nice feature when it comes out.

A high-level architecture diagram outlining the interaction between Azure Defender for Kubernetes and an Azure Arc enabled Kubernetes clusters.


Release statePreview
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Required roles and permissionsSecurity admin can dismiss alerts
Security reader can view findings
PricingFree (during preview)
Supported Kubernetes distributionsAzure Kubernetes Service on Azure Stack HCI
AKS Engine
Azure Red Hat OpenShift
Red Hat OpenShift (version 4.6 or newer)
VMware Tanzu Kubernetes Grid
Rancher Kubernetes Engine
LimitationsAzure Arc enabled Kubernetes and the Azure Defender extension don’t support managed Kubernetes offerings like Google Kubernetes Engine and Elastic Kubernetes Service. Azure Defender is natively available for Azure Kubernetes Service (AKS) and doesn’t require connecting the cluster to Azure Arc.
Environments and regionsAvailability for this extension is the same as Azure Arc enabled Kubernetes

And this is why I love Microsoft products, they provide the compliance, and governance and security for the whole set of various solutions and you can even use your Azure AD credentials in most of them.

What’s new and coming

And there is at least seven new features releases concerning Kubernetes in the Book Of News.

And link to whole book, nice reading.

More to come as Microsoft Ignite is on it’s way November 2–4! Stay tuned and safe!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *